Access management system and access management method

ABSTRACT

According to one embodiment of the present application, provided is an access management method of an access control device, comprising the steps of: receiving, from a user terminal, a first advertising packet including open authentication information; generating a key on the basis of at least a first random key; confirming the open authentication information on the basis of the generated key; and determining the opening of a door on the basis of the open authentication information.

TECHNICAL FIELD

The present invention relates to an access management system and anaccess management method using the same.

BACKGROUND ART

In a technology for managing access to a building or a specific area, atechnology for managing access by acquiring information previouslystored in a user terminal and determining whether to open a door by anaccess management device is used.

In the technology, the user terminal is conventionally implemented as acard key or the like, but recently, has become broadly implemented as amobile terminal such as a smart phone carried by a user.

In the access management using a mobile terminal, it takes a long timefor the access management device to acquire information required fordetermining whether to open the door from the mobile terminal, comparedto using the conventional card key, from a connection of communicationto acquisition of data and to determination, and thus a user may beuncomfortable due to a sensation of delay.

Accordingly, research is being conducted on an access management systemcapable of opening a door using a mobile terminal to reduce the timerequired for a user to access and open a door.

DISCLOSURE Technical Problem

The present invention is directed to providing an access managementsystem and an access management method using the same that are capableof improving a discomfort that may be felt by a user, who needs to wait,due to a time taken to access and open a door because informationrequired for authentication is acquired after a communication connectionprocedure between devices is completed.

Technical Solution

One aspect of the present invention provides an access management methodof an access control device that performs authentication on a userterminal using an advertising packet, the access management methodincluding: receiving a first advertising packet including openauthentication information from a user terminal, the first advertisingpacket including a first random key used for generating a key fordecrypting the open authentication information; generating the key onthe basis of at least the first random key; identifying the openauthentication information on the basis of the generated key; anddetermining the door to be opened on the basis of the openauthentication information.

Another aspect of the present invention provides a method of controllinga user terminal, which allows data communication to be performed with anaccess control device that determines opening or closing of a door usingan advertising packet, the method including: generating a firstadvertising packet including a first random key and open authenticationinformation, wherein the open authentication information is encrypteddata, and the first random key is used for generating a key fordecrypting the open authentication information; and transmitting thefirst advertising packet to the access control device.

Another aspect of the present invention provides an access controldevice that performs authentication on a user terminal using anadvertising packet, the access control device including: a communicationunit; and a door control unit configured to: receive a first advertisingpacket including open authentication information from a user terminal,the first advertising packet including a first random key used forgenerating a key for decrypting the open authentication information;generate the key on the basis of at least the first random key toidentify the open authentication information on the basis of thegenerated key; and determine the door to be opened on the basis of theopen authentication information.

Advantageous Effects

According to the present inventions, since information required for userauthentication for opening a door is acquired while a communicationconnection procedure between devices is in progress, the user'sdiscomfort according to the time taken for the user to access and openthe door can be reduced.

DESCRIPTION OF DRAWINGS

FIG. 1 is an environment diagram illustrating an access managementsystem (10000) according to an embodiment of the present application.

FIG. 2 is an environment diagram illustrating an access managementsystem (10000) according to an embodiment of the present application.

FIG. 3 is a block diagram illustrating a user terminal (1000) accordingto an embodiment of the present application.

FIG. 4 is a block diagram illustrating an access control device (2000)according to an embodiment of the present application.

FIG. 5 is a block diagram illustrating an authentication server (3000)according to an embodiment of the present application.

FIG. 6 is a diagram for describing a communication connection betweendevices in a Bluetooth Low Energy (BLE) method.

FIG. 7 is a diagram for describing an operation of an access managementsystem 10000 that performs authentication on a user terminal (1000)using an advertising packet according to an embodiment of the presentapplication.

FIG. 8 is a diagram for describing a data packet according to anembodiment of the present application.

FIG. 9 is a diagram for describing an operation of transmittingauthentication information between an access control device (2000) andan authentication server (3000) according to an embodiment of thepresent application.

FIG. 10 is a diagram for describing an operation of an access managementsystem (10000) that performs authentication on a user terminal 1000using an advertising packet according to an embodiment of the presentapplication.

FIG. 11 is a diagram for describing an operation in which an advertisingpacket is transmitted according to a user input, which is input to auser terminal (1000), in an access management system (10000) accordingto an embodiment of the present application.

FIG. 12 is a diagram for describing an operation of an access managementsystem (10000) according to the signal strength of an advertising packetreceived from a user terminal (1000) according to an embodiment of thepresent application.

BEST MODE OF THE INVENTION

According to an embodiment of the present application, an accessmanagement method of an access control device that performsauthentication on a user terminal using an advertising packet may beprovided, and the access management method includes: receiving a firstadvertising packet including open authentication information from theuser terminal, the first advertising packet including a first random keyused for generating a key for decrypting the open authenticationinformation; generating the key on the basis of at least the firstrandom key; identifying the open authentication information on the basisof the generated key; and determining the door to be opened on the basisof the open authentication information.

[Modes of the Invention]

The above objects, features and advantages of the present invention willbecome more apparent from the following detailed description taken inconjunction with the accompanying drawings. However, the presentinvention may be modified in various ways and may have variousembodiments. Hereinafter, specific embodiments will be illustrated inthe drawings and described in detail.

In the drawings, the thicknesses of layers and regions are exaggeratedfor the purpose of clarity. Further, when an element or layer isreferred to as being “on” another element or layer, it can be directlyon another element or intervening layers or elements may be present. Inthe following description, the same reference numerals are used todesignate the same elements in principle. In addition, elements havingthe same function within the scope of the same idea shown in thedrawings of each embodiment will be described using the same referencenumerals.

In addition, when it is determined that the detailed description of theknown function or configuration related to the present invention mayunnecessarily obscure the subject matter of the present invention, thedetailed description thereof will be omitted. In addition, numerals(e.g., first, second, etc.) used in the description of the presentinvention are merely an identifier for distinguishing one component fromanother component.

The suffixes “module” and “unit” for components used in the followingdescription are given or used in consideration of ease of specificationand do not have distinct meanings or roles from each other.

FIG. 1 is an environment diagram illustrating an access managementsystem 10000 according to an embodiment of the present application.

Referring to FIG. 1 , the access management system 10000 according tothe embodiment of the present application may include a user terminal1000 and an access control device 2000.

According to an embodiment of the present application, the accesscontrol device 2000 may receive a data packet from the user terminal1000. According to another embodiment of the present application, theuser terminal 1000 may receive a data packet from the access controldevice 2000. According to still another embodiment of the presentapplication, the user terminal 1000 may transmit a data packet to theaccess control device 2000 and receive a data packet from the accesscontrol device 2000.

For a specific example, the access control device 2000 may receive anadvertising packet from the user terminal 1000. For another specificexample, the access control device 2000 may transmit an advertisingpacket to the user terminal 1000, and the user terminal 1000 maytransmit a second advertising packet in response to the firstadvertising packet transmitted from the access control device 2000.

According to the embodiment of the present application, the userterminal 1000 may request the access control device 2000 to open a door.For example, the user terminal 1000 may request opening for the door bytransmitting open authentication information to the access controldevice 2000. As another example, the user terminal 1000 may requestopening for the door by transmitting open authentication information tothe access control device 2000 such that the validity of the openauthentication information is determined, and transmitting open requestinformation for opening a door.

According to the embodiment of the present application, the accesscontrol device 2000 may check the validity of the open authenticationinformation on the basis of the data packet received from the userterminal 1000 and may open the door when the user terminal 1000 that hastransmitted the open authentication information is identified as havinga right to open the door.

The transmission and reception of data packets between the user terminal1000 and the access control device 2000 and specific informationincluded in the data packets will be described in more detail below.

FIG. 2 is an environment diagram illustrating an access managementsystem 10000 according to an embodiment of the present application.

Referring to FIG. 2 , the access management system 10000 according tothe embodiment of the present application may include a user terminal1000, an access control device 2000, and an authentication server 3000.

The access management system 10000 according to the embodiment of thepresent application disclosed in FIG. 2 performs almost the sameoperation as that of the access management system 10000 according to theembodiment of the present application disclosed in FIG. 1 , except forfurther including the authentication server 3000.

Accordingly, the same operation of the access management system 10000that has been described in FIG. 1 will be omitted in describing theembodiment described in FIG. 2 , and the redundant description will bereplaced using the same reference numerals.

According to the embodiment of the present application, theauthentication server 3000 may be connected to the access control device2000.

According to the embodiment of the present application, theauthentication server 3000 may provide the access control device 2000with information related to the open authentication information. Theauthentication server 3000 may provide the access control device 2000with information related to the open authentication information receivedby the access control device 2000 from the user terminal 1000. Theauthentication server 3000 may provide the access control device 2000with information for checking the validity of the open authenticationinformation.

According to the embodiment of the present application, the accesscontrol device 2000 may request the authentication server 3000 totransmit the information related to the open authentication information.The access control device 2000 may request the authentication server3000 to transmit the information for checking the validity of the openauthentication information.

The transmission and reception of data packets between the user terminal1000, the access control device 2000, and the authentication server 3000and specific information included in the data packets will be describedin more detail below.

FIG. 3 is a block diagram illustrating a user terminal 1000 according toan embodiment of the present application.

Referring to FIG. 3 , the user terminal 1000 may include a terminalcommunication unit 1100, a terminal display unit 1200, a terminal inputunit 1300, a terminal storage unit 1400, and a terminal control unit1500.

The terminal communication unit 1100 may connect the user terminal 1000to an external electronic device. For example, the terminalcommunication unit 1100 may connect the user terminal 1000 to anexternal electronic device such as the access control device 2000 andthe like.

The terminal communication unit 1100 may be a communication modulesupporting wired and/or wireless communication. The terminalcommunication unit 1100 may be implemented as a wired connector, acommunication chip, or a communication module.

The terminal communication unit 1100 according to the embodiment of thepresent application may include a communication interface for performingBluetooth Low Energy (BLE) communication. For example, the terminalcommunication unit 1100 may perform transmission of an advertisingpacket before BLE communication connection. As another example, theterminal communication unit 1100 may transmit a first advertising packetbefore a BLE communication connection and, upon receiving a secondadvertising packet transmitted in response to the first advertisingpacket, transmit a connection request for a connection of BLEcommunication.

The terminal display unit 1200 may output visual information. Theterminal display unit 1200 may be implemented as a display panel or thelike.

According to the embodiment of the present application, when theterminal display unit 1200 is provided as a touch screen, the terminaldisplay unit 1200 may perform the function of the terminal input unit1300. In this case, depending on the selection, the user terminal 1000may not be provided with a separate terminal input unit 1300.

The terminal input unit 1300 may acquire a signal corresponding to auser's input. The terminal input unit 1300 may be implemented as, forexample, a keyboard, a keypad, a button, a jog shuttle, a wheel, or adisplay panel.

The terminal storage unit 1400 may store data. The terminal storage unit1400 may store data required for the operation of the user terminal1000. The terminal storage unit 1400 may be implemented as a flashmemory, a random-access memory (RAM), a read-only memory (ROM), asolid-state drive (SSD), a secure digital (SD) card or an optical disk.

The terminal storage unit 1400 according to the embodiment of thepresent application may store data required for generating openauthentication information.

The data required for generating the open authentication information maybe identification information of the access control device 2000, useridentification information associated with the access control device2000, identification information of the user terminal 1000, a personalidentification number (PIN), and/or a password. The data required forgenerating the open authentication information may be information and/orsetting information required for encryption of the open authenticationinformation.

The terminal control unit 1500 may perform overall operations of theuser terminal 1000. The terminal control unit 1500 may be implemented inthe form of a central processing unit (CPU) or a controller.

FIG. 4 is a block diagram illustrating an access control device 2000according to an embodiment of the present application.

Referring to FIG. 4 , the access control device 2000 includes a doorcommunication unit 2100, a door display unit 2200, a door sensor unit2300, a door driving unit 2400, a door storage unit 2500, and a doorcontrol unit 2600.

The door communication unit 2100 may connect the access control device2000 to an external electronic device. For example, the doorcommunication unit 2100 may connect the access control device 2000 to anexternal electronic device such as the user terminal 1000 and the like.

The door communication unit 2100 may be a communication modulesupporting wired and/or wireless communication. The door communicationunit 2100 may be implemented as a wired connector, a communication chip,or a communication module. For a more specific example, the doorcommunication unit 2100 may be a communication module capable ofacquiring data from the user terminal 1000.

The door communication unit 2100 according to some embodiments of thepresent application may include a communication module capable ofreceiving an advertising packet. For a more specific example, the doorcommunication unit 2100 may include an interface that communicatesthrough a Bluetooth or BLE method.

For example, the door communication unit 2100 may include acommunication interface for performing BLE communication, and the doorcommunication unit 2100 may receive an advertising packet from theterminal communication unit 1100 before a BLE communication connection.As another example, the door communication unit 2100 may include acommunication interface for performing BLE communication, and the doorcommunication unit 2100 may, before a BLE communication connection,transmit an advertising packet and receive an advertising packettransmitted in response to the advertising packet.

The door display unit 2200 may output visual information. The doordisplay unit 2200 may be implemented as a display panel or the like.When the door display unit 2200 includes a touch panel, the door displayunit 2200 may also operate as an input device based on a touch input.

The door sensor unit 2300 may acquire a signal related to an open stateof the door. The door sensor unit 2300 may be implemented as an infraredsensor, an optical sensor, or a magnetic sensor.

According to the embodiment of the present application, the door sensorunit 2300 may acquire a signal required for determining the state of thedoor. The door sensor unit 2300 may acquire a signal required fordetermining the state of the door and transmit the acquired signal tothe door control unit 2600.

The door driving unit 2400 may provide power required for opening orclosing the door. The door driving unit 2400 may control a lockingdevice provided on a door to open or close the door, and the doordriving unit 2400 may provide the locking device with power required forcontrolling the locking device.

The door storage unit 2500 may store a program for performing a controloperation of the door control unit 2600 and may store data received froman external device and data generated from the door control unit 2600.

The door storage unit 2500 may be implemented as a flash memory, a RAM,a ROM, an SSD, an SD card, or an optical disk.

The door storage unit 2500 according to the embodiment of the presentapplication may store data required for checking the validity of openauthentication information. The data required for checking the validityof the open authentication information may be information for checkingwhether the user terminal 1000 that has transmitted the openauthentication information has a right to access the door. The datarequired for checking the validity of the open authenticationinformation may be identification information of a user, identificationinformation of the user terminal 1000, a PIN, and/or a password.

The door storage unit 2500 according to the embodiment of the presentapplication may store a private key and a public key corresponding tothe private key.

The door control unit 2600 controls the overall operation of the accesscontrol device 2000. The door control unit 2600 may be implemented inthe form of a CPU or a controller.

According to the embodiment of the present application, the door controlunit 2600 may determine whether to open the door on the basis of datareceived through the door communication unit 2100. Upon determining thedoor to be opened, the door control unit 2600 controls the door drivingunit 2400 to open the door.

FIG. 5 is a block diagram illustrating an authentication server 3000according to an embodiment of the present application.

Referring to FIG. 5 , the authentication server 3000 may include aserver communication unit 3100, a server display unit 3200, a serverinput unit 3300, a server storage unit 3400, and a server control unit3500.

The server communication unit 3100 may connect the server device 3000 toan external electronic device. For example, the server communicationunit 3100 may connect the authentication server 3000 to an externalelectronic device such as the access control device 2000 or the like.

The server communication unit 3100 may be a communication modulesupporting at least one of a wired communication method and a wirelesscommunication method. The server communication unit 3100 may beimplemented as a wired connector, a communication chip, or acommunication module. The server display unit 3200 may output visualinformation. For example, the server display unit 3200 may beimplemented as a display panel or the like.

The server input unit 3300 may acquire a signal corresponding to auser's input. The server input unit 3300 may be implemented as, forexample, a keyboard, a keypad, a button, a jog shuttle, a wheel, or adisplay panel.

The server storage unit 3400 may store data. The server storage unit3400 may store data required for the operation of the authenticationserver 3000. The terminal storage unit 1400 may be implemented as aflash memory, a RAM, a ROM, an SSD, an SD card, or an optical disk.

According to the embodiment of the present application, the serverstorage unit 3400 may store authentication information associated withthe access control device 2000. According to the embodiment of thepresent application, the server storage unit 3400 may store a programrequired for the operation of the authentication server 3000.

The server control unit 3500 may perform the overall operation of theserver device 3000. The server control unit 3500 may be implemented inthe form of a CPU or a controller.

In the above, each component included in the user terminal 1000, theaccess control device 2000, and the authentication server 3000 has beendescribed in detail. However, the user terminal 1000, the access controldevice 2000, and the authentication server 3000 according to the presentapplication do not need to include all of the above-describedcomponents, and some components may be excluded or added according tothe selection.

Hereinafter, an operation in the access management system 10000including at least the user terminal 1000 and the access control device2000 will be described in detail.

In describing the access management system 10000, the description may bedeveloped in a form in which the access management system 10000 includesthe user terminal 1000 and the access control device 2000, or in a formin which the access management system 10000 includes the user terminal1000, the access control device 2000, and the authentication server3000.

However, this is only to describe an embodiment assuming for convenienceof description, and in interpreting the scope of the present invention,it should be interpreted according to the principle of interpretation ofthe claims and should not be limited.

In the access management system disclosed in the present application,the opening of the door may be controlled using datatransmitted/received before a communication connection is establishedbetween the user terminal 1000 and the access control device 2000. Inthe case of controlling the opening of the door using datatransmitted/received before the communication connection is establishedbetween the user terminal 1000 and the access control device 2000, thereis a benefit of resolving a discomfort felt by a user due to a timetaken for the connection between the user terminal 1000 and the accesscontrol device 2000.

FIG. 6 is a diagram for describing a communication connection betweendevices in a BLE method.

The BLE communication connection disclosed herein may refer to anoperation of establishing a communication channel through frequencysynchronization between a first device and a second device. Before theBLE communication connection is established, data transmission/receptionbetween devices may be performed in order to perform the communicationconnection.

More specifically, before the communication connection is establishedbetween the first device and the second device, the first device maytransmit an advertising packet to the second device.

Since frequency synchronization between the first device and the seconddevice is not performed before the communication connection isestablished between the first device and the second device, the firstdevice and the second device may be in a state of changing a datatransmission path to 2402 MHz, 2426 MHz or 2480 MHz through frequencyhopping.

The advertising packet transmitted from the first device to the seconddevice may be an advertising signal. A method of transmitting theadvertising signal to the second device by the first device may be inthe form of broadcasting.

As described above, the first device may transmit data through at leastone of frequency bands of 2402 MHz, 2426 MHz, and 2480 MHz. In thiscase, the first device may be an advertiser.

The second device may perform scanning at preset time intervals. Thesecond device may be in a state of changing the data reception path to2402 MHz, 2426 MHz or 2480 MHz through frequency hopping to receive datatransmitted at 2402 MHz, 2426 MHz or 2480 MHz.

The second device may receive the advertising signal transmitted fromthe first device. The second device may receive data from the firstdevice through one of frequency bands of 2402 MHz, 2426 MHz, and 2480MHz. In this case, the second device may be a scanner.

Although not essential, the second device that has received theadvertising signal from the first device may transmit an advertisingpacket to the first device. The advertising packet transmitted from thesecond device to the first device may be a scan request. The seconddevice that has received the advertising signal from the first devicemay transmit the scan request to the first device to request requiredinformation.

The first device that has received the scan request from the seconddevice may forward an advertising packet to the second device. Theadvertising packet transmitted from the first device to the seconddevice may be a scan response.

The first device having confirmed the existence of the second device mayrequest a connection to the second device. In other words, theadvertiser may request a connection to the scanner. Alternatively, thesecond device may request a connection to the first device. The scannermay request a connection to the advertiser.

After a connection is requested from one side, when a communicationconnection is established between the first device and the seconddevice, a data transmission/reception frequency may be synchronizedbetween the first device and the second device. The first device and thesecond device may share information about the datatransmission/reception frequency and frequency hopping timing.

In this way, security is reinforced, and bytes of data that may betransmitted may be increased.

According to the embodiment of the present application, anauthentication procedure for controlling the access management system10000 may be performed using such an advertising packettransmitted/received before the BLE communication connection describedabove is established.

FIG. 7 is a diagram for describing an operation of an access managementsystem 10000 that performs authentication on a user terminal 1000 usingan advertising packet according to an embodiment of the presentapplication.

The access control device 2000 may transmit a first advertising packetto the user terminal 1000 (S1100). The first advertising packet may betransmitted in a broadcast form. The access control device 2000 may,while switching a data transmission path to a first, second, or thirdfrequency band, transmit the first advertising packet in one of thefirst, second, and third frequency bands. For example, the first,second, and third frequency bands may be 2402 MHz, 2426 MHz, and 2480MHz, respectively.

The first advertising packet may include a first random key. The firstadvertising packet may include identification information of the accesscontrol device 2000. The first advertising packet may include at leastone of a first random key and identification information of the accesscontrol device 2000.

According to the embodiment of the present application, theidentification information of the access control device 2000 may beencrypted, and the first random key may be used for generating a key fordecrypting the encrypted identification information of the accesscontrol device 2000.

According to the embodiment of the present application, openauthentication information to be described below may be encrypted, andthe first random key may be used for generating a key for decrypting theencrypted open authentication information.

Referring to FIG. 8A, data included in a payload of the firstadvertising packet may not exceed 38 bytes. For example, the firstrandom key and the identification information of the access controldevice 2000 included in the first advertising packet may not exceed 38bytes.

The user terminal 1000 may perform scanning. The user terminal 1000 may,while switching the data reception path to the first, second, or thirdfrequency band, receive the first advertising packet through one of thefirst, second, and third frequency bands. For example, the first,second, and third frequency bands may be 2402 MHz, 2426 MHz, and 2480MHz, respectively.

The user terminal 1000 that has received the first advertising packetmay transmit a second advertising packet (S1200). For example, thesecond advertising packet may be in the form of a scan request.

According to the embodiment of the present application, the userterminal 1000 that has received the first advertising packet maytransmit a second advertising packet to the access control device 2000(S1200). The user terminal 1000 may transmit the second advertisingpacket through the data transmission path through which the firstadvertising packet has been received.

The second advertising packet may include a second random key. Thesecond advertising packet may include open authentication information.The second advertising packet may include at least one of a secondrandom key and open authentication information.

The open authentication information may include information provided toopen the door. For example, the open authentication information mayinclude at least one of user identification information, identificationinformation of the user terminal 1000, a PIN, and a password.

According to the embodiment of the present application, the openauthentication information may be encrypted, and the second random keymay be used for generating a key for decrypting the encrypted openauthentication information.

According to the embodiment of the present application, the secondadvertising packet may further include the first random key. The secondadvertising packet may include the first random key, the second randomkey, and the open authentication information, and the key for decryptingthe encrypted open authentication information may be generated on thebasis of the first random key and the second random key.

Referring to FIG. 8A, data included in a payload of the secondadvertising packet may not exceed 38 bytes. For example, the secondrandom key and the open authentication information included in thesecond advertising packet may not exceed 38 bytes. As another example,the first random key, the second random key, and the open authenticationinformation included in the second advertising packet may not exceed 38bytes.

The access control device 2000, upon receiving the second advertisingpacket including the open authentication information from the userterminal 1000, may identify the open authentication information (S1300).

The access control device 2000 may generate a key for decrypting theopen authentication information on the basis of at least the secondrandom key. According to the embodiment of the present application, theaccess control device 2000 may generate the key for decrypting the openauthentication information on the basis of the second random key.According to the embodiment of the present application, the accesscontrol device 2000 may generate the key for decrypting the openauthentication information on the basis of the first random key and thesecond random key.

The access control device 2000 may identify the open authenticationinformation on the basis of the generated key. In other words, theaccess control device 2000 may read the open authentication informationby decrypting the open authentication information.

The access control device 2000 may check the validity of the openauthentication information (S1400).

According to the embodiment of the present application, the accesscontrol device 2000 may compare authentication information stored in theaccess control device 2000 with the open authentication information tocheck the validity of the open authentication information. The doorcontrol unit 2600 may compare the authentication information stored inthe door storage unit 2500 with the open authentication information tocheck the validity of the open authentication information.

According to the embodiment of the present application, the accesscontrol device 2000 may compare authentication information received fromthe authentication server 3000 with the open authentication informationto check the validity of the open authentication information.

The authentication information may be information for checking thevalidity of the open authentication information. For example, theauthentication information may include at least one of useridentification information, identification information of the userterminal 1000, a PIN, and a password.

According to another embodiment, the access control device 2000 maytransmit a first advertising packet to the user terminal 1000 (S1100).The first advertising packet may be transmitted in a broadcast form. Theaccess control device 2000 may, while switching a data transmission pathto a first, second, or third frequency band, transmit the firstadvertising packet in one of the first, second, and third frequencybands. For example, the first, second, and third frequency bands may be2402 MHz, 2426 MHz, and 2480 MHz, respectively.

The first advertising packet may include a public key. The public keyincluded in the first advertising packet may be a public keycorresponding to a private key stored in the access control device 2000.Alternatively, the public key included in the first advertising packetmay be a public key corresponding to a private key received by theaccess control device 2000 from the authentication server 3000.

Referring to FIG. 8A, data included in a payload of the firstadvertising packet may not exceed 38 bytes. For example, the public keyincluded in the first advertising packet may not exceed 38 bytes.

The user terminal 1000 may perform scanning. The user terminal 1000 may,while switching the data reception path to the first, second, or thirdfrequency band, receive the first advertising packet in one of thefirst, second, and third frequency bands. For example, the first,second, and third frequency bands may be 2402 MHz, 2426 MHz, and 2480MHz, respectively.

The user terminal 1000 that has received the first advertising packetmay transmit a second advertising packet (S1200). For example, thesecond advertising packet may be in the form of a scan request.

According to the embodiment of the present application, the userterminal 1000 that has received the first advertising packet maytransmit the second advertising packet to the access control device 2000(S1200). The user terminal 1000 may transmit the second advertisingpacket through a data transmission path through which the firstadvertising packet has been received.

The second advertising packet may include open authenticationinformation encrypted with the received public key. The openauthentication information may include information provided to open thedoor. For example, the open authentication information may include atleast one of user identification information, identification informationof the user terminal 1000, a PIN, and a password.

Referring to FIG. 8A, data included in a payload of the secondadvertising packet may not exceed 38 bytes. For example, the openauthentication information encrypted with the public key and included inthe second advertising packet may not exceed 38 bytes.

The access control device 2000, upon receiving the second advertisingpacket including the open authentication information from the userterminal 1000, may identify the open authentication information (S1300).The access control device 2000 may check the validity of the openauthentication information (S1400).

According to the embodiment of the present application, the accesscontrol device 2000 may decrypt the open authentication information onthe basis of the private key. The private key may be stored in the doorstorage unit 2500. Alternatively, the access control device 2000 mayreceive the private key from the authentication server 3000 and decryptthe open authentication information using the received private key.

The access control device 2000 may determine whether to open or closethe door by identifying whether the open authentication informationdecrypted on the basis of the private key has a right to access the doorassociated with the access control device 2000.

According to the embodiment of the present application, the accesscontrol device 2000 may compare authentication information stored in theaccess control device 2000 with the open authentication information tocheck the validity of the open authentication information. Thecomparison procedure may be performed by the door control unit 2600.

According to the embodiment of the present application, the accesscontrol device 2000 may compare authentication information received fromthe authentication server 3000 with the open authentication informationto check the validity of the open authentication information.

The authentication information may be information for checking thevalidity of the open authentication information. For example, theauthentication information may include at least one of useridentification information, identification information of the userterminal 1000, a PIN, and a password.

According to the embodiment of the present application, the accesscontrol device 2000 may determine the door to be opened (S1500). Forexample, the access control device 2000 may determine that the door isopened when the open authentication information received from the userterminal 2000 matches the authentication information received from theauthentication server 3000. As another example, the access controldevice 2000 may determine that the door is opened when the openauthentication information received from the user terminal 2000 matchesthe authentication information stored in the door storage unit 2500.

As another example, the access control device 2000 may determine whetherto open or close the door by identifying the open authenticationinformation (S1300). The access control device 2000 may check thevalidity of the open authentication information on the basis of whetherthe open authentication information is decrypted by the private key. Inother words, when a third advertising packet is decrypted by the privatekey, the access control device 2000 may identify that the user terminal1000 having transmitted the third advertising packet has a right toaccess the door associated with the access control device 2000 anddetermine that the door is opened. FIG. 9 is a diagram for describing anoperation of transmitting authentication information between an accesscontrol device 2000 and an authentication server 3000 according to anembodiment of the present application.

The access control device 2000 may, in order to check the validity ofthe open authentication information (S1400), request the authenticationserver 3000 to transmit authentication information (S1410). Theauthentication server 3000 may be connected to at least one accesscontrol device 2000 and may store authentication information of eachdoor.

The authentication server 3000 may extract authentication informationcorresponding to the access control device 2000 that has transmitted therequest (S1410) for the authentication information from pre-stored dataon authentication information (S1420). The authentication server 3000may transmit the extracted authentication information to the accesscontrol device 2000 (S1430).

In this manner, the access control device 2000 may receive theauthentication information for checking the validity of the openauthentication information from the authentication server 3000 and maycompare the received authentication information with the openauthentication information.

Subsequent to FIG. 7 , the access control device 2000, upon checking thevalidity of the open authentication information in S1400, may determinethe door to be opened (S1500). For example, the access control device2000 may compare previously stored authentication information with theidentified open authentication information, and when the authenticationinformation matches the open authentication information, determine thatthe door is opened. As another example, the access control device maycompare authentication information received from the authenticationserver 3000 with the identified open authentication information, andwhen the authentication information matches the open authenticationinformation, may determine that the door is opened.

Although not an essential procedure, the user terminal 1000 may, afterthe transmission of the second advertising packet in S1200,communicatively connect to the access control device 2000. In otherwords, after the transmission of the second advertising packet in S1200,a communication channel may be established between the user terminal1000 and the access control device 2000 through frequencysynchronization.

When the user terminal 1000 and the access control device 2000 arecommunicatively connected to each other, a packet in the form shown inFIG. 8B may be transmitted and received between the user terminal 1000and the access control device 2000.

In the access management system 10000 according to the embodiment of thepresent application, when large size data needs to be transmitted fromthe user terminal 1000 to the access control device 2000, or from theaccess control device 2000 to the user terminal 1000, an implementationmay be provided such that user authentication for opening the door usingan advertising packet is performed before a communication connection isestablished between the user terminal 1000 and the access control device2000, and then the communication connection is established between theuser terminal 1000 and the access control device 2000.

In the above, detailed description has been made on an operation ofperforming user authentication for opening the door of the accesscontrol device 2000 by operating the access control device 2000 as anadvertiser and operating the user terminal 1000 as a scanner.

Hereinafter, an operation of the access management system 10000 in whichthe user terminal 1000 operates as an advertiser and the access controldevice 2000 operates as a scanner will be described in detail.

In the embodiment, the user terminal 1000, such as a mobile device, isnot an agent that performs a repetitive scanning operation, and thus abenefit of reducing power consumption of the user terminal 1000 may bederived.

FIG. 10 is a diagram for describing an operation of an access managementsystem 10000 that performs authentication on a user terminal 1000 usingan advertising packet according to an embodiment of the presentapplication.

The user terminal 1000 may transmit a first advertising packet to theaccess control device 2000 (S2100). The first advertising packet may betransmitted in a broadcast form. The access control device 2000, whileswitching a data transmission path to a first, second, or thirdfrequency band, may transmit the first advertising packet in one of thefirst, second, and third frequency bands. For example, the first,second, and third frequency bands may be 2402 MHz, 2426 MHz, and 2480MHz, respectively.

The first advertising packet may include a first random key. The firstadvertising packet may include identification information of the userterminal 1000. The first advertising packet may include at least one ofa first random key and identification information of the user terminal1000.

According to the embodiment of the present application, theidentification information of the user terminal 1000 may be encrypted,and the first random key may be used for generating a key for decryptingthe encrypted identification information of the user terminal 1000.

According to the embodiment of the present application, openauthentication information to be described below may be encrypted, andthe first random key may be used for generating a key for decrypting theencrypted open authentication information.

Referring to FIG. 8A, data included in a payload of the firstadvertising packet may not exceed 38 bytes. For example, the firstrandom key and the identification information of the user terminal 1000included in the first advertising packet may not exceed 38 bytes.

The access control device 2000 may perform scanning. The access controldevice 2000, while switching a data reception path to a first, second,or third frequency band, may receive the first advertising packet in oneof the first, second, and third frequency bands. For example, the first,second, and third frequency bands may be 2402 MHz, 2426 MHz, and 2480MHz, respectively.

According to the embodiment of the present application, when the firstadvertising packet includes open authentication information, the accesscontrol device 2000, upon receiving the first advertising packet, mayimmediately identify the open authentication information (S2400).

According to another embodiment of the present application, as shown inFIG. 10 , the access control device 2000 that has received the firstadvertising packet may transmit a second advertising packet (S2200). Forexample, the second advertising packet may be in the form of a scanrequest.

According to the embodiment of the present application, the accesscontrol device 2000 may transmit the second advertising packet through adata transmission path through which the first advertising packet hasbeen received.

The second advertising packet may include a second random key. Thesecond advertising packet may include identification information of theaccess control device 2000. The second advertising packet may include atleast one of a second random key and identification information of theaccess control device 2000.

According to the embodiment of the present application, theidentification information of the access control device 2000 may beencrypted, and the second random key may be used for generating a keyfor decrypting the encrypted identification information of the accesscontrol device 2000.

According to the embodiment of the present application, openauthentication information to be described below may be encrypted, andthe second random key may be used for generating a key for decryptingthe encrypted open authentication information.

According to the embodiment of the present application, the secondadvertising packet may further include the first random key. The secondadvertising packet includes the first random key, the second random key,and the identification information of the access control device 2000,and the key for decrypting the encrypted open authentication informationto be described below may be generated on the basis of the first randomkey and the second random key.

Referring to FIG. 8A, data included in a payload of the secondadvertising packet may not exceed 38 bytes. For example, the secondrandom key and the identification information of the access controldevice 2000 included in the second advertising packet may not exceed 38bytes. As another example, the first random key, the second random key,and the identification information of the access control device 2000included in the second advertising packet may not exceed 38 bytes.

The user terminal 1000, upon receiving the second advertising packetfrom the access control device 2000, may transmit a third advertisingpacket (S2300). The user terminal 1000, upon receiving the secondadvertising packet from the access control device 2000, may transmit athird advertising packet to the access control device 2000 (S2300). Forexample, the second advertising packet may be in the form of a scanresponse.

According to the embodiment of the present application, the userterminal 1000 may transmit the third advertising packet through a datatransmission path through which the second advertising packet has beenreceived.

The third advertising packet may include a third random key. The thirdadvertising packet may include open authentication information. Thethird advertising packet may include at least one of a third random keyand open authentication information.

The open authentication information may include information provided toopen the door. For example, the open authentication information mayinclude at least one of user identification information, identificationinformation of the user terminal 1000, a PIN, and a password.

According to the embodiment of the present application, the openauthentication information may be encrypted, and the third random keymay be used for generating a key for decrypting the encrypted openauthentication information.

According to the embodiment of the present application, the thirdadvertising packet may further include the first random key. The thirdadvertising packet may further include the second random key. The thirdadvertising packet may include the first random key, the second randomkey, the third random key, and the open authentication information, andthe key for decrypting the encrypted open authentication information maybe generated on the basis of at least one of the first random key, thesecond random key, and the third random key.

Referring to FIG. 8A, data included in a payload of the thirdadvertising packet may not exceed 38 bytes. For example, the thirdrandom key and the open authentication information included in the thirdadvertising packet may not exceed 38 bytes. As another example, thefirst random key, the second random key, the third random key, and theopen authentication information included in the third advertising packetmay not exceed 38 bytes.

The access control device 2000, upon receiving the third advertisingpacket including the open authentication information from the userterminal 1000, may identify the open authentication information (S2300).

The access control device 2000 may generate the key for decrypting theopen authentication information on the basis of at least the thirdrandom key. According to the embodiment of the present application, theaccess control device 2000 may generate the key for decrypting the openauthentication information on the basis of the third random key.According to the embodiment of the present application, the accesscontrol device 2000 may generate the key for decrypting the openauthentication information on the basis of the first random key and thethird random key. According to the embodiment of the presentapplication, the access control device 2000 may generate the key fordecrypting the open authentication information on the basis of thesecond random key and the third random key. According to the embodimentof the present application, the access control device 2000 may generatethe key for decrypting the open authentication information on the basisof the first random key, the second random key, and the third randomkey.

In the case of an embodiment of generating the key for decrypting theopen authentication information on the basis of the first random key,the second random key, and the third random key, an effect ofstrengthening security may be derived compared to a case of generatingthe key for decrypting the open authentication information on the basisof the third random key.

The access control device 2000 may identify the open authenticationinformation on the basis of the generated key. In other words, theaccess control device 2000 may decrypt the open authenticationinformation to read the open authentication information.

The access control device 2000 may check the validity of the openauthentication information (S2500). The access control device 2000 may,upon checking the validity of the open authentication information,determine that the door is opened (S2600).

Operation S2500 may be performed similarly to operation S1400.

Operation S2600 may be performed similarly to operation S1500.

Therefore, detailed descriptions of opertions S2500 and S2600 will beomitted. Even in the access management system 10000 according to thepresent embodiment, a connection may be established between the userterminal 1000 and the access control device 2000 after the transmissionof the third advertising packet in S2300, as required. A detaileddescription thereof has also been described above and thus will beomitted.

According to another embodiment on FIG. 10 , the user terminal 1000 maytransmit a first advertising packet to the access control device 2000(S2100). The first advertising packet may be transmitted in a broadcastformat. The access control device 2000, while switching a datatransmission path to a first, second, or third frequency band, maytransmit the first advertising packet in one of the first, second, andthird frequency bands. For example, the first, second, and thirdfrequency bands may be 2402 MHz, 2426 MHz, and 2480 MHz, respectively.

The first advertising packet may include a request for a public key. Thefirst advertising packet may include a request for receiving a publickey from the access control device 2000. The request for the public keymay be provided in the form of transmission of a first advertisingpacket in which predefined data (e.g., 11111111) is inserted into aspecific field. Alternatively, the request for the public key may beprovided in a form in which the user terminal 1000 transmits a firstadvertising packet including identification information of the userterminal 1000, and the access control device 2000 identifies theidentification information included in the first advertising packet andthen transmits a public key.

Referring to FIG. 8A, data included in a payload of the firstadvertising packet may not exceed 38 bytes. For example, informationcorresponding to the request for the public key included in the firstadvertising packet may not exceed 38 bytes.

The access control device 2000 may perform scanning. The access controldevice 2000, while switching the data reception path to a first, second,or third frequency band, may receive the first advertising packet in oneof the first, second, and third frequency bands. For example, the first,second, and third frequency bands may be 2402 MHz, 2426 MHz, and 2480MHz, respectively.

The access control device 2000 that has received the first advertisingpacket may transmit a second advertising packet (S2200). For example,the second advertising packet may be provided in the form of a scanrequest.

According to the embodiment of the present application, the accesscontrol device 2000 may transmit the second advertising packet through adata transmission path through which the first advertising packet hasbeen received.

The second advertising packet may include a public key. The public keyincluded in the second advertising packet may be a public keycorresponding to a private key stored in the access control device 2000.Alternatively, the public key included in the second advertising packetmay be a public key corresponding to a private key received by theaccess control device 2000 from the authentication server 3000.

Referring to FIG. 8A, data included in a payload of the secondadvertising packet may not exceed 38 bytes. For example, the public keyincluded in the second advertising packet may not exceed 38 bytes.

The user terminal 1000, upon receiving the second advertising packetfrom the access control device 2000, may transmit a third advertisingpacket (S2300). The user terminal 1000, upon receiving the secondadvertising packet from the access control device 2000, may transmit athird advertising packet to the access control device 2000 (S2300). Forexample, the second advertising packet may be in the form of a scanresponse.

According to the embodiment of the present application, the userterminal 1000 may transmit the third advertising packet through the datatransmission path through which the second advertising packet has beenreceived.

The third advertising packet may include open authentication informationencrypted with the received public key. The open authenticationinformation may include information provided to open the door. Forexample, the open authentication information may include at least one ofuser identification information, identification information of the userterminal 1000, a PIN, and a password.

Referring to FIG. 8A, data included in a payload of the thirdadvertising packet may not exceed 38 bytes. For example, the openauthentication information encrypted with the public key and included inthe third advertising packet may not exceed 38 bytes.

The access control device 2000, upon receiving the third advertisingpacket including the open authentication information from the userterminal 1000, may identify the open authentication information (S2300).The access control device 2000 may check the validity of the openauthentication information (S2500). The access control device 2000 maydetermine that the door is opened when the validity of the openauthentication information is checked (S2600).

According to the embodiment of the present application, the accesscontrol device 2000 may decrypt the open authentication information onthe basis of the private key. The private key may be stored in the doorstorage unit 2500. Alternatively, the access control device 2000 mayreceive the private key from the authentication server 3000 and decryptthe open authentication information using the received private key.

According to the embodiment of the present application, the accesscontrol device 2000 may compare authentication information stored in theaccess control device 2000 with the open authentication information tocheck the validity of the open authentication information. Thecomparison procedure may be performed by the door control unit 2600.

According to the embodiment of the present application, the accesscontrol device 2000 may compare authentication information received fromthe authentication server 3000 with the open authentication informationto check the validity of the open authentication information.

The authentication information may be information for checking thevalidity of the open authentication information. For example, theauthentication information may include at least one of useridentification information, identification information of the userterminal 1000, a PIN, and a password.

According to the embodiment of the present application, the accesscontrol device 2000 may determine the door to be opened (S2600). Forexample, the access control device 2000 may determine that the door isopened when the open authentication information received from the userterminal 2000 matches the authentication information received from theauthentication server 3000. As another example, the access controldevice 2000 may determine that the door is opened when the openauthentication information received from the user terminal 2000 matchesthe authentication information stored in the door storage unit 2500.

For another example, the access control device 2000 may determinewhether to open or close the door by identifying the open authenticationinformation (S2300). The access control device 2000 may check thevalidity of the open authentication information on the basis of whetherthe open authentication information is decrypted by the private key. Inother words, when the third advertising packet is decrypted by theprivate key, the access control device 2000 may identify that the userterminal 1000 having transmitted the third advertising packet has aright to access the door associated with the access control device 2000,and determine that the door is opened.

Even in the access management system 10000 according to the presentembodiment, a connection may be established between the user terminal1000 and the access control device 2000 after the transmission of thethird advertising packet in S2300 as required. A detailed descriptionthereof has already been described above and thus will be omitted.

FIG. 11 is a diagram for describing an operation in which an advertisingpacket is transmitted according to a user input, which is input to theuser terminal 1000, in an access management system 10000 according to anembodiment of the present application.

In a case in which the user terminal 1000 operates as an advertiser inthe access management system 10000 disclosed by the present application,when an input for transmitting an advertising packet to the accesscontrol device 2000 is received from a user of the user terminal 1000(S2050), a first advertising packet may be transmitted to the accesscontrol device 2000 according to the input of the user (S2100).

Subsequent to S2100, operations similar to those in the accessmanagement system 10000 described in FIG. 10 are performed, and thusredundant descriptions will be omitted.

FIG. 12 is a diagram for describing an operation of an access managementsystem 10000 according to the signal strength of an advertising packetreceived from a user terminal 1000 according to an embodiment of thepresent application.

In a case in which the user terminal 1000 operates as an advertiser inthe access management system 10000 disclosed by the present application,the user terminal 1000 may transmit first advertising packets at apreset time interval (S2100). The user terminal 1000 may broadcast thefirst advertising packets at a preset time interval.

The access control device 2000 may perform scanning. The access controldevice 2000 may receive the first advertising packet. The access controldevice 2000 may, upon receiving the first advertising packet, check areceived signal strength indication (RS SI) (S2150).

The access control device 2000 may, when the strength of a signal withwhich the first advertising packet has been received exceeds a referencevalue, transmit a second advertising packet (S2200).

According to the embodiment of the present application, when thestrength of the signal with which the first advertising packet has beenreceived is less than the reference value, the access control device2000 may not transmit the second advertising packet, and thus the keyfor decrypting open authentication information on the basis of the firstrandom key, the second random key, and the third random key may not begenerated.

Subsequent to operation S2200, operations are performed similarly to theoperations in the access management system 10000 described in FIG. 10 ,and thus redundant description will be omitted.

According to the present application, a recording medium, on which aprogram for performing the operations according to the embodimentsdisclosed above may be recorded, may be provided. The recording mediummay be implemented in the form of a Universal Serial Bus (USB) memory,an SSD, or an SD card having a physical structure or may be implementedin the form of a web drive having a virtual storage space through aserver.

According to the present application, the user terminal 1000, the accesscontrol device 2000, and/or the authentication server 3000 forperforming the operations according to the embodiments disclosed in theabove may be provided.

Although the present invention has been described in detail above withreference to the exemplary embodiments, those of ordinary skill in thetechnical field to which the present invention pertains should be ableto understand that various modifications and alterations may be madewithout departing from the technical spirit or essential features of thepresent invention. Therefore, such modifications or alternations comewithin the scope of the appended claims.

1. An access control method of an access control device thatauthenticates user terminal access using an advertising packet, theaccess control method comprising: broadcasting the advertising packet toa plurality of user terminals in a predetermined range, wherein theadvertising packet includes a first public key and an identificationinformation of the access control device; receiving a first packet froma first user terminal of the plurality of user terminal, wherein thefirst packet includes variable information encrypted based on the firstpublic key, wherein the variable information includes openauthentication information corresponding the access control device,wherein the first user terminal pre-store the open authenticationinformation corresponding the access control device; loading a firstprivate key corresponding to the first public key; decrypting theencrypted variable information based on the first private key to obtainthe open authentication information; and determining whether to open adoor or not based on the open authentication information.
 2. The methodof claim 1, wherein the first packet is not received from the other userterminals of the plurality of user terminals that do not pre-store theopen authentication information corresponding the access control device.3. The method of claim 1, wherein the first packet includes a secondpublic key, and wherein the open authentication information is encryptedbased on the first public key and a second private key, and wherein thesecond private key corresponds to the second public key.
 4. The methodof claim 3, wherein the decrypting the encrypted variable information isto decrypt the open authentication information based on the firstprivate key and the second public key.
 5. The method of claim 1, whereinthe first packet includes a second public key, wherein theidentification information of the access control device is encryptedbased on the first public key and a second private key, and wherein thesecond private key corresponds to the second public key.
 6. The methodof claim 5, wherein the decrypting the encrypted variable information isto decrypt the identification information of the access control devicebased on the first private key and the second public key.
 7. The methodof claim 1, wherein the determining whether to open a door or notcomprises determining whether to open a door or not by comparingauthentication information stored in the access control device with theopen authentication information.
 8. The method of claim 1, wherein thedetermining whether to open a door or not comprises determining whetherto open a door or not by comparing authentication information receivedfrom an authentication server with the variable information.
 9. Themethod of claim 7, wherein the open authentication information includesa first key used for access to the door.
 10. The method of claim 9,wherein the determining whether to open a door or not comprisesdetermining to open a door when a key stored in the access controldevice matches the first key.
 11. The method of claim 1, wherein thedetermining whether to open a door or not comprises determining whetherto open a door or not based on whether the variable information isdecrypted.
 12. The method of claim 1, wherein the transmitting theadvertising packet to the first user terminal is performed before acommunication channel is established through frequency synchronizationbetween the first user terminal and the access control device.
 13. Anon-transitory computer-readable recording medium having recordedthereon a program for performing the method of claim 1.